Adequacy decision
An adequacy decision is a formal decision by the European Commission certifying that a third country, territory or sector ensures a level of data protection equivalent to the EU, allowing transfers there without additional safeguards.
The adequacy decision is the instrument set out in Article 45 GDPR by which the European Commission determines that a third country, a territory, one or more specified sectors within that third country, or an international organisation ensures an adequate level of protection for personal data – that is, a level essentially equivalent to that guaranteed within the Union. Where such a decision exists, personal data may be transferred to the country concerned without any specific authorisation and without the need for further appropriate safeguards such as standard contractual clauses or binding corporate rules. The transfer is thereby placed on the same legal footing as a data flow within the EU.
When carrying out its assessment, the Commission takes into account in particular the rule of law, respect for human rights and fundamental freedoms, the relevant data protection legislation, the access of public authorities to personal data, the existence of effective and enforceable data subject rights, and the presence of an independent supervisory authority. The decision includes a mechanism for periodic review, taking place at least every four years, and may be repealed, amended or suspended by the Commission if the third country no longer ensures the required level. Adequacy is therefore not a static status but is subject to ongoing monitoring.
The practical importance of the instrument is underlined by the case law of the European Court of Justice: in the Schrems I and Schrems II judgments the Court invalidated the predecessor decisions Safe Harbor and the EU-US Privacy Shield, because government access to data in the United States and the lack of legal redress for data subjects failed to uphold the required level of protection. Since July 2023 the EU-U.S. Data Privacy Framework once again provides an adequacy decision for the United States, but it applies only to certified organisations. Controllers must therefore always check whether a valid decision exists for their specific recipient country and whether its conditions apply in the individual case.
Legal Basis
Article 45 GDPR; Article 44 GDPR (general principle for third-country transfers)
Practical Example
A mid-sized company wants to run its applicant management through a cloud provider based in Canada. The data protection officer checks whether an adequacy decision exists for Canada and finds that the Commission has certified an adequate level of protection for commercial organisations subject to Canada's PIPEDA. She documents in the record of processing activities that the transfer is based on Article 45 GDPR, confirms that the specific provider falls within the material scope of the decision, and additionally concludes a data processing agreement. This removes the need to put standard contractual clauses and a transfer impact assessment in place.